[Date Prev][Date Next] [Chronological] [Thread] [Top]

group access



Hello Gurus,

I'm trying my first attempt at ACL-s, and seem not to get it working.

My tree is:
dc=boxhill,dc=com
    ou=accounts,dc=boxhill,dc=com
            uid=xxx,ou=accounts,dc=boxhill,dc=com
            uid=yyy,ou=accounts,dc=boxhill,dc=com
            uid=zzz,ou=accounts,dc=boxhill,dc=com

I have a group "admindudes" of which user xxx is the only member.
I'm looking for an ACL so that only members of admindudes group can read the
user entries under accounts

I add the entries by:
ldapadd -D "cn=Manger,dc=boxhill,dc=com" -W <data.ldif

That works well, as it says "adding new entry".... for each of the ldif
records.

Now, I try to see if my read access works, by

ldapsearch -L -b "ou=accounts,dc=boxhill,dc=com" -D
"uid=xxx,ou=accounts,dc=boxhill,dc=com" "(cn=*)".
This returns nothing (slapd debug output below)

Please tell me where I'm missing out?

Thanks
Joe Sabu.

Here're my files:

slapd.conf
========

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/slapd.at.conf
include /usr/local/etc/openldap/slapd.oc.conf
schemacheck off
#referral ldap://ldap.itd.umich.edu

pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args

#######################################################################
# ldbm database definitions
#######################################################################

database ldbm
suffix "dc=boxhill, dc=com"
rootdn "cn=Manager, dc=boxhill, dc=com"
directory /usr/tmp
rootpw {crypt}UhfanGxIMzepM

access to dn="(.*),ou=(.*),dc=boxhill,dc=com"
by group="cn=admindudes,ou=$2,dc=boxhill,dc=com" read
by * none




data.ldif
=======
dn: dc=boxhill, dc=com
dc: boxhill
o: My Company
objectclass: organization
objectclass: dcObject

dn: cn=Manager, dc=boxhill, dc=com
cn: Manager
sn: Manager
objectclass: person

dn: ou=accounts,dc=boxhill,dc=com
objectclass: top
objectclass: organizationalUnit
ou: accounts

dn: cn=admindudes,ou=accounts,dc=boxhill,dc=com
objectclass: top
objectclass: groupOfNames
cn: admindudes
member: uid=xxx,ou=accounts,dc=boxhill,dc=com

dn: uid=xxx,ou=accounts,dc=boxhill,dc=com
objectclass:Person
uid: xxx
cn: Joe
sn: Sabu

dn: uid=yyy,ou=accounts,dc=boxhill,dc=com
objectclass:Person
uid: yyy
cn: Jason
sn: Dude

dn: uid=zzz,ou=accounts,dc=boxhill,dc=com
objectclass:Person
uid: zzz
cn: Sergey
sn: Stud


The debug output of slapd is:

=> access_allowed: entry (ou=accounts,dc=boxhill,dc=com) attr (cn)

=> acl_get: entry (ou=accounts,dc=boxhill,dc=com) attr (cn)
<= acl_get: no match

=> acl_access_allowed: search access to entry
"ou=accounts,dc=boxhill,dc=com"

=> acl_access_allowed: search access to value "any" by ""
<= acl_access_allowed: granted by default (no matching to)
listening for connections on 3, activity on: 5r
before select active_threads 1

=> access_allowed: exit (ou=accounts,dc=boxhill,dc=com) attr (cn)

=> access_allowed: entry (cn=admindudes,ou=accounts,dc=boxhill,dc=com) attr
(cn)

=> acl_get: entry (cn=admindudes,ou=accounts,dc=boxhill,dc=com) attr (cn)
<= acl_get: [1] backend acl cn=admindudes,ou=accounts,dc=boxhill,dc=com
attr: cn

=> acl_access_allowed: search access to entry
"cn=admindudes,ou=accounts,dc=boxhill,dc=com"

=> acl_access_allowed: search access to value "any" by ""
<= ldbm_back_group: "" not in "CN=ADMINDUDES,OU=ACCOUNTS,DC=BOXHILL,DC=COM":
member
<= acl_access_allowed: matched by clause #2 access denied

=> access_allowed: exit (cn=admindudes,ou=accounts,dc=boxhill,dc=com) attr
(cn)

=> access_allowed: entry (uid=xxx,ou=accounts,dc=boxhill,dc=com) attr (cn)

=> acl_get: entry (uid=xxx,ou=accounts,dc=boxhill,dc=com) attr (cn)
<= acl_get: [1] backend acl uid=xxx,ou=accounts,dc=boxhill,dc=com attr: cn

=> acl_access_allowed: search access to entry
"uid=xxx,ou=accounts,dc=boxhill,dc=com"

=> acl_access_allowed: search access to value "any" by ""
<= ldbm_back_group: "" not in "CN=ADMINDUDES,OU=ACCOUNTS,DC=BOXHILL,DC=COM":
member
<= acl_access_allowed: matched by clause #2 access denied

=> access_allowed: exit (uid=xxx,ou=accounts,dc=boxhill,dc=com) attr (cn)

=> access_allowed: entry (uid=yyy,ou=accounts,dc=boxhill,dc=com) attr (cn)

=> acl_get: entry (uid=yyy,ou=accounts,dc=boxhill,dc=com) attr (cn)
<= acl_get: [1] backend acl uid=yyy,ou=accounts,dc=boxhill,dc=com attr: cn

=> acl_access_allowed: search access to entry
"uid=yyy,ou=accounts,dc=boxhill,dc=com"

=> acl_access_allowed: search access to value "any" by ""
<= ldbm_back_group: "" not in "CN=ADMINDUDES,OU=ACCOUNTS,DC=BOXHILL,DC=COM":
member
<= acl_access_allowed: matched by clause #2 access denied

=> access_allowed: exit (uid=yyy,ou=accounts,dc=boxhill,dc=com) attr (cn)

=> access_allowed: entry (uid=zzz,ou=accounts,dc=boxhill,dc=com) attr (cn)

=> acl_get: entry (uid=zzz,ou=accounts,dc=boxhill,dc=com) attr (cn)
<= acl_get: [1] backend acl uid=zzz,ou=accounts,dc=boxhill,dc=com attr: cn

=> acl_access_allowed: search access to entry
"uid=zzz,ou=accounts,dc=boxhill,dc=com"

=> acl_access_allowed: search access to value "any" by ""
<= ldbm_back_group: "" not in "CN=ADMINDUDES,OU=ACCOUNTS,DC=BOXHILL,DC=COM":
member
<= acl_access_allowed: matched by clause #2 access denied

=> access_allowed: exit (uid=zzz,ou=accounts,dc=boxhill,dc=com) attr (cn)